About Andrew

Andrew Mathieson is an information risk and cyber security director in the Firm’s Boston, Massachusetts office and a member of its IT Risk and Advisory Services practice group. He has extensive experience with planning, executing and overseeing the IT Security and attestation audit examination process for the following: Statement on Standards for Attestation Engagements (SSAE 18) including System and Organization Controls (SOC 1,SOC 2 and SOC 3), Agreed Upon Procedures, Sarbanes Oxley (SOX 404), Meaningful Use Assessments, HIPAA Assessments, cyber security assessments, HITRUST assessments, ISO 27001assessments, FFIEC assessments, DMF assessments, GLBA and General IT Controls Reviews and Application Control Reviews.

Additionally, Mr. Mathieson is responsible for managing risk assessment engagements to evaluate confidentiality, processing integrity, availability, security, and privacy concerns.

Professional & Civic Affiliations

  • Information Systems Audit and Control Association (ISACA)
  • International Association of Privacy Professionals (IAPP)
  • International Association of Risk and Compliance Professionals (IARCP)


  • Certified Information Systems Auditor (CISA)
  • Certified CSF Practitioner (CCSFP)
  • Certificate of Cloud Security Knowledge (CCSK)
  • Certified Information Systems Risk and Compliance Professional (CISRCP)
Practice Focus

SOC 1,2,3
Data Security Regulations (e.g. HITRUST)
Risk Assessments & IT Audits
Cyber Security
HIPAA Assessments
General IT Controls
Sarbanes-Oxley 404


Bachelor of Science in Business Administration, Eastern
Nazarene College

Master of Science in Human Resources and Business
Framingham State University